Description

Jenkins Gitea Plugin 1.1.1 and earlier did not implement trusted revisions, allowing attackers without commit access to the Git repo to change Jenkinsfiles even if Jenkins is configured to consider them to be untrusted.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/05/31/2

http://www.securityfocus.com/bid/108540

https://jenkins.io/security/advisory/2019-05-31/#SECURITY-1046

Related Vulnerabilities

CVE-2019-20149 Vulnerability in maven package org.webjars.bowergithub.jonschlinkert:kind-of

CVE-2021-21636 Vulnerability in maven package org.jenkins-ci.plugins:tfs

CVE-2023-43668 Vulnerability in maven package org.apache.inlong:manager-pojo

CVE-2022-25842 Vulnerability in maven package com.alibaba.oneagent:one-java-agent-plugin

CVE-2015-8858 Vulnerability in maven package org.webjars.npm:uglify-js

Severity

High

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory